Add phylum exception subcommand (#1557)

This patch adds a new `phylum exception` subcommand, with the three
`add`, `remove`, and `list` commands under it. These new subcommands
allow managing package exceptions to remove friction with Phylum's
firewall.

The add and remove subcommands are targeted at interactive use, pulling
logs from the package firewall and existing exceptions to suggest what
is most likely to be used for adding/removing an exception.

While currently firewall logs are pulled for adding exceptions, the
individual analysis results for each version are not listed in the
suggestions.

The `list` and `remove` subcommand allow managing both package and issue
suppressions, however `add` currently only supports adding package
exceptions.

Closes #1552.

Author: cd-work

CHANGELOG.md

@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Added
+
+- `phylum exception` subcommand for managing suppressions
+
 ## 7.2.0 - 2024-12-10
 
 ### Added

Cargo.lock

@@ -4,7 +4,7 @@ version = "7.2.0"
 authors = ["Phylum, Inc. <[email protected]>"]
 license = "GPL-3.0-or-later"
 edition = "2021"
-rust-version = "1.80.0"
+rust-version = "1.82.0"
 autotests = false
 
 [[test]]
@@ -38,6 +38,7 @@ git2 = { version = "0.19.0", default-features = false }
 git-version = "0.3.5"
 home = "0.5.3"
 ignore = { version = "0.4.20", optional = true }
+indexmap = "2.7.0"
 lazy_static = "1.4.0"
 libc = "0.2.135"
 log = "0.4.6"
@@ -48,7 +49,7 @@ phylum_lockfile = { path = "../lockfile", features = ["generator"] }
 phylum_project = { path = "../phylum_project" }
 phylum_types = { git = "https://github.com/phylum-dev/phylum-types", branch = "development" }
 prettytable-rs = "0.10.0"
-purl = "0.1.1"
+purl = { version = "0.1.5", features = ["serde"] }
 rand = "0.8.4"
 regex = "1.5.5"
 reqwest = { version = "0.12.7", features = ["blocking", "json", "rustls-tls", "rustls-tls-native-roots", "rustls-tls-webpki-roots"], default-features = false }

cli/Cargo.toml

@@ -197,6 +197,119 @@ pub fn firewall_log(api_uri: &str) -> Result<Url, BaseUriError> {
     Ok(get_firewall_path(api_uri)?.join("activity")?)
 }
 
+/// GET /organizations/<orgName>/groups/<groupName>/preferences.
+pub fn org_group_preferences(
+    api_uri: &str,
+    org_name: &str,
+    group_name: &str,
+) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "organizations",
+        org_name,
+        "groups",
+        group_name,
+        "preferences",
+    ]);
+    Ok(url)
+}
+
+/// GET /preferences/group/<groupName>
+pub fn group_preferences(api_uri: &str, group_name: &str) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend(["preferences", "group", group_name]);
+    Ok(url)
+}
+
+/// GET /preferences/project/<projectId>
+pub fn project_preferences(api_uri: &str, project_id: &str) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend(["preferences", "project", project_id]);
+    Ok(url)
+}
+
+/// POST /organizations/<orgName>/groups/<groupName>/suppress.
+pub fn org_group_suppress(
+    api_uri: &str,
+    org_name: &str,
+    group_name: &str,
+) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "organizations",
+        org_name,
+        "groups",
+        group_name,
+        "suppress",
+    ]);
+    Ok(url)
+}
+
+/// POST /preferences/group/<groupName>/suppress.
+pub fn group_suppress(api_uri: &str, group_name: &str) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "preferences",
+        "group",
+        group_name,
+        "suppress",
+    ]);
+    Ok(url)
+}
+
+/// POST /preferences/project/<projectId>/suppress.
+pub fn project_suppress(api_uri: &str, project_id: &str) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "preferences",
+        "project",
+        project_id,
+        "suppress",
+    ]);
+    Ok(url)
+}
+
+/// POST /organizations/<orgName>/groups/<groupName>/unsuppress.
+pub fn org_group_unsuppress(
+    api_uri: &str,
+    org_name: &str,
+    group_name: &str,
+) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "organizations",
+        org_name,
+        "groups",
+        group_name,
+        "unsuppress",
+    ]);
+    Ok(url)
+}
+
+/// POST /preferences/group/<groupName>/unsuppress.
+pub fn group_unsuppress(api_uri: &str, group_name: &str) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "preferences",
+        "group",
+        group_name,
+        "unsuppress",
+    ]);
+    Ok(url)
+}
+
+/// POST /preferences/project/<projectId>/unsuppress.
+pub fn project_unsuppress(api_uri: &str, project_id: &str) -> Result<Url, BaseUriError> {
+    let mut url = get_api_path(api_uri)?;
+    url.path_segments_mut().unwrap().pop_if_empty().extend([
+        "preferences",
+        "project",
+        project_id,
+        "unsuppress",
+    ]);
+    Ok(url)
+}
+
 /// GET /.well-known/openid-configuration
 pub fn oidc_discovery(api_uri: &str) -> Result<Url, BaseUriError> {
     Ok(get_api_path(api_uri)?.join(".well-known/openid-configuration")?)

cli/src/api/endpoints.rs

@@ -32,8 +32,8 @@ use crate::types::{
     FirewallLogFilter, FirewallLogResponse, FirewallPaginated, GetProjectResponse, HistoryJob,
     ListUserGroupsResponse, OrgGroupsResponse, OrgMembersResponse, OrgsResponse, PackageSpecifier,
     PackageSubmitResponse, Paginated, PingResponse, PolicyEvaluationRequest,
-    PolicyEvaluationResponse, PolicyEvaluationResponseRaw, ProjectListEntry, RevokeTokenRequest,
-    SubmitPackageRequest, UpdateProjectRequest, UserToken,
+    PolicyEvaluationResponse, PolicyEvaluationResponseRaw, Preferences, ProjectListEntry,
+    RevokeTokenRequest, SubmitPackageRequest, Suppression, UpdateProjectRequest, UserToken,
 };
 
 pub mod endpoints;
@@ -596,6 +596,93 @@ impl PhylumApi {
         Ok(log)
     }
 
+    /// Get group preferences.
+    pub async fn group_preferences(
+        &self,
+        org: Option<&str>,
+        group: &str,
+    ) -> Result<Preferences<'static>> {
+        match org {
+            Some(org) => {
+                let url =
+                    endpoints::org_group_preferences(&self.config.connection.uri, org, group)?;
+                self.get(url).await
+            },
+            None => {
+                #[derive(Deserialize)]
+                struct Response<'a> {
+                    preferences: Preferences<'a>,
+                }
+
+                let url = endpoints::group_preferences(&self.config.connection.uri, group)?;
+                Ok(self.get::<Response, _>(url).await?.preferences)
+            },
+        }
+    }
+
+    /// Get project preferences.
+    pub async fn project_preferences(&self, project_id: &str) -> Result<Preferences<'static>> {
+        #[derive(Deserialize)]
+        struct Response<'a> {
+            preferences: Preferences<'a>,
+        }
+
+        let url = endpoints::project_preferences(&self.config.connection.uri, project_id)?;
+        Ok(self.get::<Response, _>(url).await?.preferences)
+    }
+
+    /// Add group suppression.
+    pub async fn group_suppress(
+        &self,
+        org: Option<&str>,
+        group: &str,
+        suppressions: &[Suppression<'_>],
+    ) -> Result<()> {
+        let url = match org {
+            Some(org) => endpoints::org_group_suppress(&self.config.connection.uri, org, group)?,
+            None => endpoints::group_suppress(&self.config.connection.uri, group)?,
+        };
+        self.send_request_raw(Method::POST, url, Some(suppressions)).await?;
+        Ok(())
+    }
+
+    /// Get project suppression.
+    pub async fn project_suppress(
+        &self,
+        project_id: &str,
+        suppressions: &[Suppression<'_>],
+    ) -> Result<()> {
+        let url = endpoints::project_suppress(&self.config.connection.uri, project_id)?;
+        self.send_request_raw(Method::POST, url, Some(suppressions)).await?;
+        Ok(())
+    }
+
+    /// Remove group suppression.
+    pub async fn group_unsuppress(
+        &self,
+        org: Option<&str>,
+        group: &str,
+        unsuppressions: &[Suppression<'_>],
+    ) -> Result<()> {
+        let url = match org {
+            Some(org) => endpoints::org_group_unsuppress(&self.config.connection.uri, org, group)?,
+            None => endpoints::group_unsuppress(&self.config.connection.uri, group)?,
+        };
+        self.send_request_raw(Method::POST, url, Some(unsuppressions)).await?;
+        Ok(())
+    }
+
+    /// Remove project suppression.
+    pub async fn project_unsuppress(
+        &self,
+        project_id: &str,
+        unsuppressions: &[Suppression<'_>],
+    ) -> Result<()> {
+        let url = endpoints::project_unsuppress(&self.config.connection.uri, project_id)?;
+        self.send_request_raw(Method::POST, url, Some(unsuppressions)).await?;
+        Ok(())
+    }
+
     /// Get reachable vulnerabilities.
     #[cfg(feature = "vulnreach")]
     pub async fn vulnerabilities(&self, job: Job) -> Result<Vec<Vulnerability>> {